04/18/18: Web Server phpMyAdmin setup.php Code Injection

Threat Summary

Overview

A vulnerability exists within the setup feature of phpMyAdmin versions 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1 which allows a remote, unauthenticated attacker to inject arbitrary PHP code into a configuration file written to the server.

Exploitation

Stages

The attacker requests the phpMyAdmin set up script page and extracts cookie and CSRF token data from the response.

The attacker submits a POST request containing the form data expected by the setup script. The ‘configuration’ parameter contains the code to be injected as part of the serialized PHP data.

The server processes the POST request and generates a ‘config.inc.php’ file including the injected code. The file is then written to the server in the ‘/config/’ directory.

The attacker requests the generated file, executing the injected PHP code on the server.

Prerequisites

The attacker can access and attack if:

A webserver is running a vulnerable version of phpMyAdmin

There is a ‘/config/’ directory within the base phpMyAdmin path with write permissions

There are a set of valid session cookies

There are valid CSRF tokens

Vulnerability Description

The 'setup.php' accepts configuration data in the form of serialized PHP, which is written to a configuration file as part of the wizard-assisted setup process. The script sanitizes the serialized values in the configuration data. However, it fails to perform the same sanitization on the array keys allowing arbitrary PHP code to be injected. The resulting configuration file is written to a predictable location on the server allowing for the attacker to easily request the file and execute the injected code.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.